- Kaspersky finds that Deepseek’s false application is promoted through Google ads
- The application groups legitimate software with malware
- Malware transmits confidential data to attacker controlled servers
Kaspersky’s cybersecurity researchers have seen a new malware distribution campaign that abuses Deepseek as a lure.
In a report, experts say that unidentified computer pirates created a falsified version of the Deepseek-R1 website, in which Ollama or LM Studio hosted, tools that allow users to execute large language models (LLM) locally on the computer, without the need for an internet connection.
However, the tools were included with a piece of malware called Browservenom, which configures web browsers to channel all traffic through the attackers server. As a result, any confidential data, such as credentials, moves first through malicious servers, where they can be easily collected.
Browserveom
The site was announced through Google’s ads, and when the victims clicks on the download button, the first site verifies the operating system they are using, and if they are in Windows, serve the malware.
Other users of the operating system were not attacked, but Windows users had to pass a captcha, after which malware is served.
Kaspersky says that Browservenom avoids the protection of the Windows defender “with a special algorithm,” but did not give more details. He stressed that the infection process requires administration privileges for the Windows user profile, and otherwise it will not even be executed.
Most of the victims were located in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, Kaspersky added, but did not say how many people were affected.
“While the execution of large -line language models offers privacy benefits and reduces the dependence of cloud services, it can also come with substantial risks if adequate precautions are not taken, said Kaspersky’s security researcher, Lisandro Ubiedo.
“Cybercriminals are increasingly exploiting the popularity of open source AI tools by distributing malicious packages and false installers that can install Keyloggers, cryptominiums or infants of inforting. These false tools compromise a user’s sensitive data and possess a threat, particularly when users have downloaded them from not verified sources.”
